ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/08/11 21:12 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: Image Path: Address: 0xB9F08000 Size: 98304 File Visible: No Signed: - Status: - Name: Image Path: Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB58AC000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA60A000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB532C000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\Documents and Settings\All Users\Dane aplikacji\BitDefender\BehavioralScanner\Feedback\0_0000_20100811191315000_02332_RootRepeal.exe_dc39f51e969213fe.mdet.pending Status: Visible to the Windows API, but not on disk. Path: c:\documents and settings\all users\dane aplikacji\bitdefender\desktop\events\history.xml Status: Size mismatch (API: 409000, Raw: 408614) SSDT ------------------- #: 017 Function Name: NtAllocateVirtualMemory Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed3ae4 #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed3e4e #: 025 Function Name: NtClose Status: Hooked by "a347bus.sys" at address 0xb9f8d028 #: 031 Function Name: NtConnectPort Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed513e #: 037 Function Name: NtCreateFile Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed4868 #: 041 Function Name: NtCreateKey Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed55c6 #: 045 Function Name: NtCreatePagingFile Status: Hooked by "a347bus.sys" at address 0xb9f80b00 #: 047 Function Name: NtCreateProcess Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed3f98 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed401a #: 050 Function Name: NtCreateSection Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed468c #: 053 Function Name: NtCreateThread Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed36e6 #: 066 Function Name: NtDeviceIoControlFile Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed56c6 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed82f4 #: 071 Function Name: NtEnumerateKey Status: Hooked by "a347bus.sys" at address 0xb9f815dc #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "a347bus.sys" at address 0xb9f8d120 #: 084 Function Name: NtFsControlFile Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed5804 #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed625c #: 116 Function Name: NtOpenFile Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed477c #: 119 Function Name: NtOpenKey Status: Hooked by "a347bus.sys" at address 0xb9f8cfa4 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed8046 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed45ac #: 128 Function Name: NtOpenThread Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed8174 #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed39e2 #: 160 Function Name: NtQueryKey Status: Hooked by "a347bus.sys" at address 0xb9f815fc #: 177 Function Name: NtQueryValueKey Status: Hooked by "a347bus.sys" at address 0xb9f8d076 #: 180 Function Name: NtQueueApcThread Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed3ef0 #: 193 Function Name: NtReplaceKey Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed5dbe #: 199 Function Name: NtRequestPort Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed51ce #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed4f6a #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed5e2e #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed5374 #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed37d6 #: 237 Function Name: NtSetSecurityObject Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed5d4e #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed3be8 #: 241 Function Name: NtSetSystemPowerState Status: Hooked by "a347bus.sys" at address 0xb9f8c550 #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed3944 #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed38a6 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed3dac #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed7fb6 #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed8402 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed35e4 Stealth Objects ------------------- Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x8ad6f6d8 Size: 11 Object: Hidden Code [Driver: Udfsȅ瑎てȁం䵃䥖㛨ƥȂ瑎て, IRP_MJ_READ] Process: System Address: 0x8ac9e648 Size: 11 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_READ] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_POWER] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: atapi, IRP_MJ_PNP] Process: System Address: 0x8aaa8898 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x8aa9a2d0 Size: 99 Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ] Process: System Address: 0x8accef20 Size: 11 Object: Hidden Code [Driver: Srv, IRP_MJ_READ] Process: System Address: 0x8ab663f0 Size: 11 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ] Process: System Address: 0x8ac31e78 Size: 11 Object: Hidden Code [Driver: Npfsࠅఈ䵃慖, IRP_MJ_READ] Process: System Address: 0x8acb13f8 Size: 11 Object: Hidden Code [Driver: Msfsȅ఑扏济Root#MS_L2TP, IRP_MJ_READ] Process: System Address: 0x8acd0988 Size: 11 Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ] Process: System Address: 0x8ac319c0 Size: 11 Object: Hidden Code [Driver: Cdfsȅః瑎て, IRP_MJ_READ] Process: System Address: 0x8ad98bf0 Size: 11 Shadow SSDT ------------------- #: 307 Function Name: NtUserAttachThreadInput Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed3352 #: 323 Function Name: NtUserCallOneParam Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed3474 #: 347 Function Name: NtUserDdeSetQualityOfService Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed32e6 #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed32a6 #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed3168 #: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed3124 #: 460 Function Name: NtUserMessageCall Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed2ea6 #: 475 Function Name: NtUserPostMessage Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed2d30 #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed2d84 #: 491 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed2f04 #: 502 Function Name: NtUserSendInput Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed2cf6 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed268c #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2010\bdselfpr.sys" at address 0xb4ed29be ==EOF==